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Abstract: In this paper we present an abstraction algorithm that produces a finite bisimulation 
quotient for an autonomous discrete-time hnear system. We assume that the bisimulation 
quotient is required to preserve the observations over an arbitrary, finite number of polytopic 
subsets of the system state space. We generate the bisimulation quotient with the aid of a 
sequence of contractive polytopic sublevel sets obtained via a polyhedral Lyapunov function. 
The proposed algorithm guarantees that at iteration z, the bisimulation of the system within 
the z-th sublevel set of the Lyapunov function is completed. We then show how to use the 
obtained bisimulation quotient to verify the system with respect to arbitrary Linear Temporal 
Logic formulas over the observed regions. 



L INTRODUCTION 

In recent years, there has been a trend to bridge the 
gap between control theory and formal methods. Con- 
trol theory allows verifications of "simple" specifications 
(such as stability or reachability) for "complex" dynamical 
systems with a possibly infinite state space, while formal 
verification methods enable validation of a "simple" finite 
system in a "complex" (rich and expressive) specification 
language. Recent studies in the area of abstraction allow 
one to model the behaviors of complex dynamical systems 
as finite systems, so that formulas in a rich specification 
language such as Linear Temporal Logic (LTL) can be 
used to analyze, verify and control the behavior of the 
system, with applications in areas such as robotics [Belta 
et al., 2007], multi-agent control systems [Loizou and Kyr- 
iakopoulos, 2004] and bioinformatics [Batt et al., 2005]. 

In this paper, we focus on autonomous (without inputs) 
linear systems, and we aim to generate a finite bisimulation 
abstraction of the system within some relevant subset of 
the state space. Since the bisimulation quotient preserves 
the language of the original infinite state system, it can be 
readily used for system verification. 

Our approach relies upon the existence of a polyhedral Lya- 
punov function, which is non- conservative for stable linear 
systems, and we take advantage of the recent method 
by Lazar [2010] to construct such Lyapunov functions. 
The polyhedral Lyapunov function is used to generate a 
sequence of sublevel sets, which are contractive polytopes. 
We propose to partition the state space with respect to 
these polytopic sublevel sets, as they allow us to incre- 
mentally generate the bisimulation quotient of the entire 
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relevant state space. As the abstraction algorithm iterates, 
we guarantee that the bisimulation quotient is generated 
for an increasing larger sublevel set, with no "holes" in the 
covered state space. The polytopic sublevel sets also ensure 
that the algorithm proposed in this paper only requires 
polytopic operations, and can be tractably implemented 
for systems in realistic and practical applications. 

This work is related to relevant works on the construction 
of finite quotient for infinite systems, such as controlled 
linear systems [Tabuada and Pappas, 2006, Pappas, 2003] 
and hybrid systems [Alur et al., 2000]. The bisimulation 
problem in general does not terminate [Milner, 1989]. 
We side-step this issue by only considering the system 
behavior within a relevant state space, i.e., in between two 
positive invariant compact sets that contain the origin in 
their interior. Such positive invariant sets with arbitrary 
sizes can be immediately obtained from the polyhedral 
Lyapunov function as polytopic sublevel sets {i.e., poly- 
topes) centered at the origin. Therefore, the bisimulation 
algorithm can capture any relevant subset of the state 
space. This also directly gives a trade-off between the size 
of the bisimulation quotient and the size of the relevant 
state space being analyzed. 

Another conceptually related work is Sloth and Wis- 
niewski [2010], where two orthogonal (quadratic) Lya- 
punov functions were used for the abstraction of continuous- 
time Morse-Smale systems (including hyperbolic linear 
systems) to timed automata. Besides targeting general 
discrete-time linear systems, the main difference between 
Sloth and Wisniewski [2010] and the approach proposed 
in this paper comes from the usage of polyhedral Lyapunov 
functions. This turns out to be beneficial, as it removes the 
need for two orthogonal Lyapunov functions and it results 
in a tractable implementation. 



The rest of the paper is organized as fohows. We introduce 
prehminaries in Sec. 2 and formulate the problem in Sec. 3. 
We present the algorithm to generate the bisimulation 
quotient in Sec. 4, and we show in Sec. 5 how the 
resulting bisimulation quotient can be used to verify the 
system behavior against formulas in LTL. Conclusions are 
summarized in Sec. 6. 

2. PRELIMINARIES 

For a set 5, int(5), 9(5), Co(5), |5|, and 2*^ stand for 
its interior, boundary, convex hull, cardinality, and power 
set, respectively. For A G M and 5 C R"^, let A5 := 
{Xx\x e S}. We use R, R+, Z, and Z+ to denote the 
sets of real numbers, non- negative reals, integer numbers, 
and non- negative integers. For 7Ti,n G Z+, we use R^ and 
R^^^ to denote the set of column vectors and matrices 
with n and m x n real entries. For a vector x G R"^, [x]i 
denotes the z-th element of X and ||x||oo = niax^=i^...^^ |[x]i| 
denotes the infinity norm of x. For a matrix Z G R^^^, let 
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denote its infinity norm. 



A n-dimensional polytope V (see, e.g., Ziegler [1995]) 
in R"^ can be described as the convex hull of n + 1 
affinely independent points in R"^. Alternatively, V can be 
described as the intersection of /c, where k > n + 1, closed 
half spaces, i.e., there exists k > n -\- 1 and H-p G R^^^, 
hj> G R^, such that 

V = {xeW\Hrx< hr). (1) 

We assume polytopes in R"^ are n-dimensional unless noted 
otherwise. The set of boundaries of a polytope V are 
called facets^ denoted by /(7^), which are themselves (n — 
l)-dimensional polytopes. A semi-linear set (sometimes 
called a polyhedron in literature) in R"^ is defined as 
finite unions, intersections and complements of sets {x G 
R^ I a^x - 6, -G {=, <}}, for some a G R'' and 6 G R. Note 
that a convex and bounded semi-linear set is equivallent 
to a polytope with some of its facet removed. 

2.1 Transition systems and bisimulations 

Definition 2.1. A transition system (TS) is a tuple T = 
((5,^,n, /i), where 

• Q is a (possibly infinite) set of states; 

• -^^ Q X Q is the set of transitions; 

• n is a finite set of observations; and 

• h : Q — > 2^ is the observation map. 

We denote x ^ x' if {x^x') G^. We assume T to be non- 
blocking, i.e., for each x G Q, there exists x' e Q such 
that X ^ x' . A trajectory of a TS from an initial state xq 
is an infinite sequence x = xqXi... where Xk -^ ^/c+i for 
all /c G Z+. A trajectory x generates a word o = oqOi..., 
where o^ = h{xk) for all k G Z+. 

The TS T is finite if \Q\ < oo, otherwise T is infinite. 
Moreover, T is deterministic if for all x G Q, there exists 
at most one x' ^ Q such that x ^ x' ^ otherwise, T is 
called non- deterministic. Given a set X C Q, we define: 

Prer(X) = {xeQ\3x' eX,x-> x'}, (2) 

i.e., Pre7-(X) is the subset of Q that reaches X in one 
step. At a state x G Q, the set of all words generated by 



trajectories originating from x is called the language of 
T originating at x, which is denoted by Cr{x). We also 
denote by Cq-{X) the language of T originating from states 
in a subset X C Q. 

States of a TS can be related by a relation ~C Q x 
Q. For convenience of notation, we denote x ^ x' ii 
{x^x') G~. The subset X C Q is called an equivalent class 
a x.,x' ^ X ^ X ^ x' . We denote by Q/^ the set labeling 
all equivalent classes and define a map eq : Q/^ — > 2^ 
such that eq(X^) is the set of states in the equivalence 
class X^ G Q/ r^. 

Definition 2.2. We say that a relation ~ is observation 
preserving if for any x.,x' G Q, x ~ x' implies that 
h{x) = h{x'). 

A finite partition P of a set 5 is a finite collection of sets 
P '= {Pi}iei^ such that UieiPi = S and Pi f) Pj = 9 if 
i ^ j. A finite refinement of P is a finite partition P' of S 
such that for each P^ ^ P\ there exists Pj G P such that 
Pi ^ Pj ' Note that P is a trivial refinement of itself. 

A partition naturally induces a relation, and an obser- 
vation preserving relation induces a quotient TS. Given 
a TS T = ((5,^,n,/i), a partition P of Q induces a 
relation ~, such that x ^ x' if and only if there exists 
Pi ^ P and x^x^ e Pi. If ^ induced by P is observational 
preserving, then P is said to be an observation preserving 
partition. One can immediately verify that a refinement 
of an observation preserving partition is also observation 
preserving. 

Definition 2.3. Given a TS T = {Q,^,U,h) and an 
observation preserving relation ~, a quotient transition 
system T/^ = (Q/^, ^~,n, /i^) is a transition system, 
where 

• Q/r^ is the set labeling all equivalent classes; 

• ^^ is defined as follows: given X^,y^ G Q/r^^ 
X^ -^r^ Yr^ if and only if there exists x G eq(X^) 
and x' G eq(y^) such that x ^ x'; 

• The set of observations 11 is inherited from T; 

• hr^{Xr^) := h{x), where x G eq(X^) (note that 
this map is only well-defined if ~ is observation 
preserving) . 

Definition 2.4. Given a TS T = (Q, ^, II, /i), a relation 
^ is a bisimulation relation of T if (1) ~ is observation 
preserving; and (2) for any Xi,X2 G Q, if xi ~ X2 and 
xi -^ x[^ then there exists X2 G Q such that X2 -^ x'2 and 



If ~ is a bisimulation, then the quotient transition system 
T I n. is called a bisimulation quotient of T. In this case, T 
and T/r^ are said to be bisimilar. Bisimulation is a very 
strong equivalence relation between systems. In particular, 
it implies language equivalence. Specifically, we have 

VX^ G g/^, Cr{eq{X^)) = Cr/^X^). (3) 

This fact (see [Milner, 1989, Browne et al., 1988, Davoren 
and Nerode, 2000]) ensures that a bisimulation preserves 
properties expressed in temporal logics such as LTL, CTL 
and /i-calculus. As such, it is used as an important tool to 
reduce the complexity of system analysis or verification, 
since the bisimulation quotient (which may be finite and 
thus much smaller) can be analyzed or verified instead of 
the original system. 



2.2 Polyhedral Lyapunov functions 

Consider an autonomous discrete-time system, 

Xfc+i = ^{xk), k e Z+, (4) 

where Xk G M^ is the state at the discrete-time instant 
k and <l> : R"^ ^ R"" is an arbitrary map with <l>(0) = 0. 
Given a state x G R"^, then x^ := $(x) is a cahed the 
successor state of x. 

A function (p : R+ — > R+ belongs to class /Coo if 
if it is continuous, strictly increasing, ^(0) = and 
limg^oo 0(5) = 00. 

Definition 2.5. We call a set 7^ C R^ positively invariant 
for system (4) if for all x G 7^ it holds that ^{x) G V. 
Let A G [0,1]. We cah 7^ C R^ X-contractive (or shortly, 
contractive) if for all x G 7^ it holds that ^{x) G XV. 

The proof for the following theorem can be found in [Jiang 
and Wang, 2002, Lazar, 2006]. 

Theorem 2.1. Let A* be a positively invariant set for (4) 
with G int(A'). Furthermore, let ai,Qf2 ^ /Coo, P ^ (0, 1) 
and V : R^ — ^ R+ such that: 

ai{\\x\\) <V{x) < a2{\\x\\),\/x e X, (5) 

V{^{x)) <pV{x),\/xe^. (6) 

Then system (4) is asymptotically stable in A!. 



Definition 2.6. A function V 



-^ 



is called a 



Lyapunov function (LF) in A' if it satisfies (5) and (6). 
li X = R^, then V is called a global Lyapunov function. 

The parameter p is called the contraction rate of V . For 
any F > 0, T^r := {x G R^ | V{x) < F} is called a suhlevel 
set of V. 

For the remainder of this paper we consider LFs defined 
using the infinity norm, i.e., 

V{x) = \\Lx\\^, LGR^><",/>n, (7) 

where L has full-column rank. Notice that infinity norm 
Lyapunov functions belong to a particular class of 0- 
symmetric polyhedral Lyapunov functions. We opted for 
this type of function to simplify the exposition but in 
fact, the proposed abstraction method applies to gen- 
eral polyhedral Lyapunov functions defined by Minkowski 
(gauge) functions of polytopes in R"^ with the origin in 
their interior. 

Proposition 2.1. Suppose that L G R^^^'^ has full- 
column rank and V as defined in (7) is a global LF for 
system (4) with contraction rate p G (0,1). Then for all 
F > it holds that Vv is a polytope and G int(7^r)- 
Moreover, if ^{x) = Ax for some A G R^^^, then for all 
F > it holds that Vv is a p-contractive polytope for (4). 

The proof of the above result is a straightforward applica- 
tion of results in [Blanchini, 1994, Lazar, 2010]. 

3. PROBLEM FORMULATION 

In this paper, we consider autonomous discrete-time linear 
and time-invariant (LTI) systems, i.e., 

Xk+i = ^Xk, k G Z+, (8) 

where A G R^><^ is a strictly stable (i.e., Schur) matrix. In 
this paper, we assume that a global polyhedral Lyapunov 
function (LF) of the form (7) with contraction rate p G 



(0, 1) is known for system (8) (see Sec. 2.2). The algorithm 
proposed in [Lazar, 2010] is employed to construct such a 
function with a desired contraction rate. 

Let A' be a polytope X := {x \ \\Lx\\oo < ^x} and V be 
a polytope V := {x \ \\Lx\\oo < Ld}, where L corresponds 
to the polytopic LF (7) of system (8) and we assume that 
<Tv <Tx- Note that P C A' and G int(P) C int(A'). 
We call X the working set and V the target set. We are 
interested in analyzing and verifying the behavior of the 
system within X with respect to polytopic regions in the 
state space, until the target set V is reached (since V 
is positively invariant, the system trajectory will remain 
within V after it reaches V). Note that we can pick Tx) 
arbitrarily small and Tx arbitrary large so as to capture 
any compact relevant subset of R"^ . 

Remark 3.1. Our results can be extended to arbitrary 
positively invariant sets X and P, i.e., not obtained as the 
sublevel sets of (7). We chose to work with sublevel sets of 
the given polyhedral LF for the simplicity of presentation, 
and because such LFs allows us to easily construct a 
polytopic positive invariant set of any size. 

We assume that there exists a set 1Z of polytopes indexed 
by a finite set R, i.e., 1Z := {T^ijiei?, where IZi C X \V 
for all i G R, and IZi HlZj = 9 for any i 7^ j. 
Example 3.1. Consider a system as in (8) with A = 

_n 49 — n Q9 ) • ^ polyhedral Lyapunov function was 

constructed with the method in [Lazar, 2010], where, 

0.0625 0.6815 0.9947 0.9947 V 
1 1 0.6868 -0.0678 y ' 

and p = 0.94. We chose Tx = 10 and Tv = 5.063. We show 
the polytope A', P, and a set of polytopes 1Z in Fig. 1. 




Fig. 1. An example in R^ of the working set X (in yellow), 
the target set V (in brown), and a set of observational 
relevant polytopes IZ = {7^i,7^2,'7^3} (in green). 

The set 71 represents regions of interest in the relevant 
state space, and the polytopes in IZ are considered as 
observations of (8). Therefore, informally, a trajectory of 
(8) xqXi . . . produces an infinite sequence of observations 
oqOi . . ., such that Oi is the index of the polytope in IZ 
visited by state x/e, or o^ = if Xk is in none of the 
polytopes. The definition of the semantics of the system 
can be formalized through an embedding of (8) into a 
transition system, as follows. 



Definition 3.1. Let A', P, and IZ = {Ri}i^R be given. 
The embedding transition system from (8) is a transition 
system 7^ = (Qe, ^e, I^g, /le) where 

• Qe = {xeW\xeX} 

• (i) If X G A' \P, then x -^^ x' if and only if x' = Ax^ 

i.e., x' is the state at the next time-step after 
applying the dynamics of (8) at x\ 
(ii) If X G P, X ^e X (since the target set V is already 
reached, the behavior of the system after V is 
reached is no longer relevant); 

• Eg = i^UJIIx)}, i.e., the set of observations is the set 
of labels of regions, plus the label IIx) for V\ 



(i) h^{x) 
(ii) ^e(^) 
(iii) he{x) 



= i if and only if x G 7^^; 

= if and only \ix^X\(V\J \}.^^ Ui); 

= Ux) if and only if x eV. 



Note that Te is infinite and deterministic. Moreover, 71 
exactly captures the system dynamics under (8) in the 
relevant state space A* \ P, since a transition of the 
embedding TS Te naturally corresponds to the evolution of 
the discrete-time system in one time-step (until the target 
set is reached). Indeed, the trajectory of Te from a state 
X G A* \ P is exactly the same as the trajectory of the 
system from x evolved under (8) until V is reached. 

The state space of Te (which is the working set A') can be 
naturally partitioned as 



a: '= 



{n,},eR.^\{vu\Jn,)M. 

ieR J 



(9) 



It is straightforward to establish from the definition of 
he in 7^, that the relation induced from Px (see Sec. 
2.1) is observation preserving. We now formulate the main 
problem addressed in this paper. 

Problem 3.1. Let a system (8) with a polyhedral Lya- 
punov function of the form (7), sets A*, V and {7li}i^R be 
given. Find a finite observation preserving partition P such 
that its induced relation ~ is a bisimulation of the embed- 
ding transition system 7^, and obtain the corresponding 
bisimulation quotient 7^/^. 

Remark 3.2. In fact, Px is the coarsest observation 
preserving partition for 7^, and its induced relation is 
called an observation equivalence relation in literature. As 
a result, a finite partition is observation preserving if and 
only if it is a refinement of Px- Therefore, any solution of 
Prob. 3.1 is a refinement of Px- 

4. GENERATING THE BISIMULATION QUOTIENT 

Starting from a polyhedral Lyapunov function V{x) = 
\\Lx\\oo with a contraction rate p = (0,1) as described 
in Sec. 2.2 for system (8), we first generate a sequence 
of polytopic sublevel sets of the form Vr '= {x G 
IR"" I ll^^lloo < r} as follows. Recah that X = Vv;^ and 
V = Vtt:)_ for some < Tx> < ^x- We define a finite 
sequence f := Fq, . . . , Fat, where 

r.+i=p-^F„ z = 0,...,7V-2, (10) 

where Fq := Tx,^ Tn '-= ^x^ and N := argminAr{p~^Fo | 
p~^To > Tx}_. The sequence f generates a sequence of 
sublevel sets Vr '-= Pfq^ • • • ^Pfn- From the definition of 
the sublevel sets and f , we have that 

ProC.CPr^. (11) 



Note that Vto is exactly P, Vr^ is exactly A', and Vtn-i 
is the largest sublevel set defined via (10) that is a subset 
of A'. 

Next, we define a slice of the state space as follows: 

S^:=V^A^^^,-^. i = 1, . . . ,A/- - 1. (12) 

For convenience, we also denote So := Vtq (although So is 
not a slice in between two sublevel sets). We immediately 
see that the sets {Si}i=o,...,N form a partition of A'. Note 
that the slices are bounded semi-linear sets (see Sec. 2). 

Example 4.1. (Example 3.1 continued). Consider the 
system and sets as given in Example 3.1. The polytopic 
sublevel sets Vr '= Ptq^ • • • , Ptn ^^^ shown in Fig. 2. 




Fig. 2. An example of sublevel sets with N 
slice Sq (in purple). 
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The sublevel sets and the slices are specifically constructed 
as in (10) with the contractive parameter p, in order to 
provide the useful property that states within a slice must 
transition to a lower slice. 

Proposition 4.1. Assume that the set of slices {5i}i=o,..., at 
is obtained by a sequence f satisfying (10). Given a state 
X in the i-ih slice, i.e., x G 5^, where 1 < i < A/", its 
successor state {x' = Ax) satisfies x' G Sj for some j < i. 

Proof. From Prop. 2.1, we have that Vvi are p-contr active. 
By the definition of a p-contractive set (Def. 2.5), we 
have that x' = Ax ^ pVi = {x e W \ \\Lx\\oo < pFj. 
From (10), we have pTi = Fi-i. Therefore T^r^-i = 
{x G R^|||Lx||oo < ^i-i} implies that Vr,_^ ={x G 
R^ I \\Lx\\oo < pLj and hence Vr,_^ = pVr, and x' G 
Vri_i' From the definition of slices (12), x^ G Sj for some 
j <i. m 

We now present the abstraction algorithm (see Alg. 1) that 
computes the bisimulation quotient. In Alg. 1, we make 
use of two procedures FindPre and Refine, which will be 
further explained below. The main idea is to start with 
Px^ and iteratively refine the partition until it becomes a 
refinement to both Px as in (9) and {Si}i=o,...,N- The first 
procedure is necessary so that the partition is observation 
preserving. The second procedure allows us to ensure that 
at iteration i of the algorithm, the bisimulation quotient 
for states within Vri is completed. Similar to the slices, the 
solution to Prob. 3.1 obtained from Alg. 1 is a partition 
consisting of bounded semi-linear sets. 



Algorithm 1 Abstraction algorithm 



Input: System dynamics (8), polytopic LF V{x) = 
1 1 Lx I loo with a contractive rate p, sets A', V and 
{ni}ieR. 
Output: 7^/^ as a bisimulation quotient of the embed- 
ding transition system Te and the corresponding ob- 
servation preserving partition P. 
1: Generate the sequence of sublevel sets Pr = 
Vtoi ' ' ' 1 T^Tn ^^d shces 5o, . . . , Sn as defined in (12). 
2: Obtain Px as in (9). 
3: Set Po :=Refine(P;t',{5Ji=o,...,Ar). 
4: Initiahze Te/r^o by setting Qe/~o ^^ ^^^ ^^^ labehng 
Pq. Set transition only for the state q G Qe/~o where 
eq((7) =So = V with g ^^^ ^. 
5: for each i = 0, . . . , A" — 1 do 
6: for each P G Pi where P C 5^ do 
7: Find Ppre = FindPre(P) 

8: Set Pi+1 = Refine (P^, Ppre)- Update and add the 

corresponding states in T^/^-^^. Set the transi- 
tions of the added states to P in T^/^.^^. 
9: end for 
10: end for 
11: Return 7^/~^ and Pat as a solution to Prob. 3.1. 



Procedure FindPre(P) takes as input P, a bounded semi- 
linear set {e.g., a slice), and returns the set Pre7;(P). In 
general, the Pre of a semi-linear set is a semi-linear set, and 
it can be computed via quantifier elimination [Bochnak 
et al., 1998]. In particular, a bounded semi-linear set V 
implies that it only belongs to one of the following cases: 

(i) If P is a polytope P in the representation P = {x e 
M^ I Hrx < hr} for some k > n ^ I, H-p e M^><^ 
and h-p G M^, the Pre of P can be obtained using 
polytopic operations only, as 

Prer,(P) = {x G M^ | HpAx < hp}, (13) 

which is a possibly degenerate polytope in MJ^. Note 
that (13) applies to a polytope P of any dimension; 

(ii) If P is a union of polytopes, one can use a standard 
convexation method to decompose P to a set of 
polytopes {Vi}iei (see, e.g., [Griinbaum, 2003]). The 
Pre of P can then be computed as Ui^iFTej-^{Vi) 
using (13); 

(iii) If P is a convex and bounded semi-linear set, then 
P = V\Ui^iVi for some polytope P and its facet Vi G 
/(P). Since Te is deterministic, we have Pre7;(P) = 
Pre(P) \ Pre(Uie/Pi), where the second term can be 
computed as described in case (ii); 

(iv) If P is a general (non-convex) bounded semi-linear 
set, then again it can be decomposed into convex 
and bounded semi-linear sets and Pre7;(P) can be 
computed as the union of their Pres as described in 
case (iii). 

As summarized above, we see that FindPre(P) can always 
be carried out by convex decompositions and repeated 
applications of (13), and thus FindPre(P) only requires 
polytopic operations. Since the Pre of a bounded semi- 
linear set is a bounded semi-linear set, FindPre can be 
carried out with polytopic operations throughout Alg. 1. 



The procedure Refine(P, P) (outlined in Alg. 2) refines 
an observation preserving partition P by partitioning the 
set P, which is assumed to be a bounded semi-linear set ^ . 
The proof of correctness of Alg. 2 is straight-forward, since 
sets in a partition P = {P^}^^/ are piecewise disjoint by 
definition and as such P = |J^^j(Pi fl P). If P consists of 
bounded semi-linear sets, we can directly see from Alg. 2 
that the resultant refinement P' has the same property. 
This fact allows us to use FindPre (P) for each set V ^ P' . 



Algorithm 2 P' = Ref ine(P,P) 

Input: P is an observation preserving partition of X . 

P C A' is a bounded semi-linear set. 
Output: P' = {P[}i^i is a finite refinement of P, and 
there exists J ^ I such that P = Uj^jPj. 
1: Set P' = P 

2: for all PI e P' such that p;^' fl P 7^ do 
3: Replace P[ in P' by {P^ nV,Pl\ P} 
4: end for 



The correctness of Alg. 1 will be shown by an inductive 
argument. Given a sublevel set Pr- and a partition Pi as 
obtained in Alg. 1, we define Pi as 

P, :={PGP,|PCPrJ. (14) 

From Alg. 1, we see that Pq partitions all the shces, and 
since Pi is a finite refinement of Pq, we can directly see that 
Pi is a partition of Pr ■ . We define an embedding transition 
system Te{i) as a subset of 7^, where its state-space is 
{x ^ Qe\x ^ Vvi}' We have the following proposition. 
Proposition 4.2. At the completion of the z-th iteration 
(in the outer loop) of Alg. 1 (where P^+i is obtained), if ^i 
induced by Pi as defined in (14) is a bisimulation of 7^(i), 
then ~i+i induced by P^+i is a bisimulation of 7^(i + 1). 

Proof. If ^i induced by Pi is a bisimulation of 7^(i), 
then from Prop. 4.1, we have that for each x G «S^+i, 
x' = Ax must be in a lower slice and thus x^ G Te{i)- 
For each x' = Ax where x G 5^+1, if x' G 5^, then we have 
X G Ppre = FindPre (P) (from Step 7 of Alg. 1) for some 
P e Pi^ and after the refinement step (Step 8), we have 
X G P' C Pprg for some P' G P^+i, and T^/^.^^ is updated 
by 1) adding state eq(P') to Qe/^^+i and 2) adding the 
transition eq(P') ^^^^^ eq(P) . We note that from the 
definition of Pre, for any x G P' ^ x' = Ax G P, thus for any 
Xi ^ Xj, Axi ~ Axj, and transition eq(P') ^^^^^ eq(P) 
satisfies the bisimulation requirement. On the other hand, 
if x' ^ Si, then x' G Sj for some j < i and x is already in a 
set P' where eq(P') ^~^+i eq(P) for some P satisfying the 
bisimulation requirement. Therefore, step 7 and 8 of Alg. 1 
provides exactly the transitions needed for states all states 
in <Si+i and thus, ~i+i induced by P^+i is a bisimulation 

ofre(i + i). 

Proposition 4.3. Alg. 1 returns a solution to Prob. 3.1 
in finite time. 



^ With a slight abuse of notation, Ref ine(P, {P}ie/) stands for 
sequentially applying Ref±ne(P,Vi) for each i G /. 



Proof. From Alg. 2, we have that Pi is a refinement of 

Px for any i = 0, . . . , A/". Therefore, P/v and its induced 
relation ^n are observational preserving. 

At step 4 of Alg. 1, we set q ^^q q where eq{q) = V. From 
the definition of 7^, we see that since V is the only state, 
~o induced by Pq is a bisimulation of 7^(0). Using Prop. 
4.2 and induction, at iteration A' — 1, we have that ^at 
induced by P/v is a bisimulation of Te{N). Note that P/v 
is exactly Pat, Vr^ is exactly X and Te{N) is exactly Te- 
Therefore ^n induced by P/v is a bisimulation of Te- 

Finally, note that at each iteration, the number of sets 
updated are finite. Therefore, the bisimulation quotient is 
finite and moreover Alg. 1 completes in finite time. ■ 

Example 4.2. (Example 4.1 continued). Alg. 1 is applied 
on the same setting as in Example 4.1 to computate 
the bisimulation quotient. "Snapshots" of the algorithm 
iterations are shown in Fig. 3. The final result is a Tran- 
sition system with 320 states. In this example, Alg. 1 was 
completed in 3 minutes on a Macbook Pro 2011 model. 

5. SYSTEM VERIFICATION WITH LINEAR 
TEMPORAL LOGIC FORMULAS 

In this section we show how we can use the bisimulation 
quotient obtained as a solution to Prob. 3.1 to verify 
the behavior of system (8) in the state space X \V 
over the observed regions {lZi}i^R and the observation 
IVj) corresponding to V. We will employ Linear Temporal 
Logic (LTL) to describe high level system specifications. 
A detailed description of the syntax and semantics of 
LTL is beyond the scope of this paper and can be found 
in, for example, [Clarke et al., 1999]. Roughly, an LTL 
formula is built up from a set of atomic propositions 
n, which are properties that can be either true or false, 
standard Boolean operators -i (negation), V (disjunction), 
A (conjunction), and temporal operators X (next), U 
(until), F (eventually), G (always) and ^ (implication). 
The semantics of LTL formulas are given over words, which 
is defined as an infinite sequence o = oqOi..., where 
Oi G 2^ for all i. We say o h if the word o satisfies 
the LTL formula (j). We say a trajectory q of a transition 
system T satisfies LTL formula 0, if the word generated 
by T (see Def. 2.1) satisfies (j). 

Example 5.1. Again, consider the setting in Example 3.1 
with IZ = {'^i}2={i,2,3}- We now consider a specification 
in LTL over R = {1,2}. For example, the specification: 

''The system trajectory never visits Region 2 and eventu- 
ally visits Region 1. Moreover, if it visits Region 3 then 
it must not visit Region 1 at the next consecutive time 
instant ^^ 

can be translated to an LTL formula: 

:= G ^2 A F 1 A (3 ^ X ^1) (15) 

Remark 5.1. Set V is by definition positively invariant. 
Therefore, all trajectories of (8) eventually reach V. As a 
result, we see that any LTL formula satisfiable by (8) must 
not violate formula F H^ . For example tp = G -"IIx) A ^ is 
not satisfiable by the system for any LTL formula (j) as the 
first part of ip is in contradiction to fHv- 
Problem 5.1. Let system (8) with a polyhedral Lya- 
punov function in the form of (7), sets A', V and {1Zi}i^R^ 



and an LTL formula (p over R U IIt> be given. Find the 
largest set S C Q^ such that state trajectories of the 
embedding transition system Te originating from S satisfy 

^. 

Our solution to Prob. 5.1 proceed by finding a bisimulation 
quotient T/~ of the embedding transition system Te 
using Alg. 1. Then we translate to a so-called Biichi 
Automaton, defined below. 

Definition 5.1. A (non-deterministic) Biichi automaton 
is a tuple B = {Sb^ Sbo^ S, ^, ^23), where 

• 5'23 is a finite set of states; 

• Sjso ^ S]s is the set of initial states; 

• H is the input alphabet; 

• S : Sb X ^ ^ 2*^^ is the transition function; 

• Fb ^ S is the set of accepting states. 

We denote s -^s s^ if <§' ^ S{s^a). A word aoai . . . 
over E generates trajectories sqSi ... where sq G Sbq and 
^k -^B <5/e+i foi" all k > {). B accepts a word over S if it 
generates at least one trajectory on B that intersects Fg 
infinitely many times. 

For any LTL formula (j) over 11, one can construct a Biichi 
automaton with input alphabet E = 2^ accepting all 
and only words over 2^ satisfying (j) [Clarke et al., 1999]. 
Algorithms and implementations for the translation from 
to a corresponding Biichi automaton B can be found in 
[Gastin and Oddoux, 2001]. 

Definition 5.2. Given a transition system T = (Q, ^ 
, n, /i) and a Biichi automaton B = {Sb-, Sbq^'^^ ^ ^b-, Pb)i 
their product automaton, denoted by ^ = Tx S, is a tuple 
A = {Sa, Sao^ A^, Fa) where 

• Sa = Q X Sb; 

• Sao = Q X Sbo', 

• Aa ^ Sa X Sa is the set of transitions, defined by: 



(((7, 5), {q', s')) e AA'iSq^ q' and s — ^b s'; 
• Fa = QxFb. 

We denote (g, s) -^a (<7^ s^) if ((<?, s), {q\ s^)) G A^. A tra- 
jectory p = (go, so){qi^Si) ... of ^ is an infinite sequence 
such that (qo.so) G S'^o and (qk.Sk) ^a (<7/c+i, ^/e+i) for 
all k >0. Trajectory p is called accepting if and only if it 
intersects Fa infinitely many times. 

By the construction of A from T and S, p is accepted 
if and only if q = 7r(p) satisfies the LTL formula 
corresponding to B [Clarke et al., 1999], where 7r(p) is 
the projection of a trajectory p on 7^ onto T by simply 
removing the automaton part of the state in (g, s) e Sa- 
Remark 5.2. Normally the product automaton is con- 
structed from a transition system with an initial state qo^ 
whereas the transition system generated as a solution to 
Prob. 3.1 is not initialized. Since any state q ^ Qe/r^ can 
be an initial condition, the set of initial states of A is Qe/ 
~ X SbO' Thus, here we augment the definition of ^ slightly 
so that it is constructed as a product of an uninitialized 
transition system and a Biichi automaton. 

In [Ding et al., 2010], an algorithm was proposed to 
compute the largest subset F^ C Fa such that it can reach 
another state in F^. The following property was shown to 
hold: 
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Fig. 3. (a) The slices are shown in yehow, except P, which is shown in hght brown. The observed regions are shown in 
transparent green, (b) In the first iteration (z = 0), the shce Sq = V is shown in red. (c) The Pre of So is shown 
in blue. At this point, the bisimulation quotient for states within Ppo = ^ is completed, which consists of just a 
single state, (d) In the second iteration (z = 1), the slice Si is shown in red. (e) The Pre of 5i is shown in blue. At 
this point, the bisimulation quotient for states within Pr^ is completed, (f) At the last iteration where i = 10, the 
algorithm is completed. The state space covered by the bisimulation quotient is shown in red, covering all of X. 

Proposition 5.1. A trajectory p is accepting if and only 
ach accepting; state appearing; in p is in F^ . 



"^• 



if each accepting state appearing in p 

A state q G Q of T from which the trajectory satisfies 
the formula must be such that a state in FJ is reachable 
from (^^,50) for some sq G S]so- Therefore, Prob. 5.1 can be 
solved by a simple reachability analysis for the set F^ on 
the product automaton. Note that during the generation 
of set FJ in the algorithm proposed in [Ding et al., 2010], 
the reachability is already determined for each state in A^ 
so no extra computation is necessary. This procedure is 
summarized in the following algorithm. 



Algorithm 3 Finding the largest subset satisfying an LTL 

formula 

Input: A', P, {7li}i^R^ and an LTL formula (j) over RUHx) 
Output: The largest set S C Q^^ such that the embed- 
ding transition system Te with the initial state qo ^ S 
produces a word satisfying (j) 
1: Generate the bisimulation quotient 7^/^ for Te- 
2: Translate (/) to a Buchi automaton B 
3: Generate the product A between 7^/^ and B 
4: Find the subset F^ C F^ with the algorithm by Ding 

et al. [2010]. 
5: S = {eq(g) I q G 7^/~ and there exists sq G 
Sbo such that F^(g',5o) is reachable from (q^so)} 



Proposition 5.2. Upon termination, Alg. 3 gives a solu- 
tion to Prob. 5.1. 

Proof. We prove that Alg. 3 generates the largest set of 
satisfying states by contradiction. From the last step of 
Alg. 3, we have that S = {eq{q) \q G Te/n. and 3so G 
Sbo such that Fj^{q^ sq) is reachable from (g, sq)}. Assume 
that there exists qe ^ S such that a trajectory from q^ 
satisfies (/), and q^ G eq{q) where q G Qe/r^- In this case, 
on the product 7^/^ x S, from a state {q^so) G Sao^ 
a state in F^ cannot be reached, and from Prop. 5.1, 
we have that trajectory p cannot be accepting on 7^/ 
r^ X B and 7re/^(p) ^is a trajectory of 7^/^ cannot be 
accepting. Therefore, Cj-e/r^iQ) does not satisfy (j). By the 
property of language equivalence of bisimulations, we have 
^TeiQe) ^ ^Tei^QiQ)) = ^Te/r^iQ)^ ^^^ thcrcforc the tra- 
jectory from qe cannot be accepting, which violates the 
above assumption. ■ 

Example 5.2. (Example 5.1 continued). For the exam- 
ple specification (p as in (15), we obtained the solution 
to Prob. 5.1 by following Alg. 3. The set of initial states 
from which the state trajectories satisfy (15) are shown in 
Fig. 4. 




Fig. 4. The set of states satisfying (j) (in purple). 

6. CONCLUSIONS AND FINAL REMARKS 

In this paper we presented a method to abstract the be- 
havior of an autonomous hnear system within a positively 
invariant subset of W^ to a finite transition system via 
bisimulation. We employed polyhedral Lyapunov functions 
to guide the partitioning of the state space and showed 
that this results requires only polytopic operations. 

Future work deals with an extension to continuous-time 
linear systems and other classes of systems that admit 
polyhedral Lyapunov functions, in particular, switched 
linear systems. We also aim to relax some assumptions and 
improve the computational complexity of the approach by 
reducing the size of the bisimulation quotient. 
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